* Initial version of pkcs11 testsuite
* Refactor test cases to several files, clean up awful and unused stuff
* Static mechanism list based on the actual token offer
* Get rid of magic numbers
* Documentation
* License update based on the original project
* Verbose readme
* Cleanup unused code, long lines and method order
* Typo; More verbose errors
* Use fallback mechanisms
* Refactor object allocation and certificate search
* PKCS11SPY mentioned, more TODO
* add SHA mechanisms
* Do not try to Finalize already finalized cryptoki
* Add more flags and mechanisms
* Do not list table for no results
* Logical order of the tests (regression last)
* read ALWAYS_AUTHENTICATE from correct place
* ALWAYS_AUTHENTICATE for decryption
* Test EC key length signature based on the actual key length
* Shorten CKM_ list output, add keygen types detection
* Skip decrypting on non-supported mechanisms
* Fail hard if the C_Login fails
* Reorganize local FLAGS_ constants
* Test RSA Digest mechanisms
* Correct mechanisms naming, typos
* Do not attempt to do signature using empty keys
* CKM_ECDSA_SHA1 support
* Correct type cast when getting attributes
* Report failures from all mechanisms
* Standardize return values, eliminate complete fails, documentation interface
* Wait for slot event test
* Add switch to allow interaction with a card (WaitForSlotEvent)
* At least try to verify using C_Verify, if it fails, fall back to openssl
* Get rid of function_pointers
* Get rid of additional newline
* Share always_authenticate() function between the test cases
* Refactor Encrypt&decrypt test to functions
* Do not overwrite bits if they are not provided by CKA, indentation
* Cleanup and Break to more functions Sign&Verify test
* CKM_RSA_X_509 sign and verify with openssl padding
* More TODO's
* Proper abstracted padding with RSA_X_509 mechanism
* Add ongoing tasks from different TODO list
* Update instructions. Another todo
* Variables naming
* Increase mechanism list size, use different static buffers for flags and mechanism names
* nonstandard mechanism CKM_SHA224_RSA_PKCS supported by some softotkens
* Get rid of loop initial declarations
* Loop initial declaration, typos, strict warnings
* Move the p11test to the new folder to avoid problems with dynamically linked opensc.so
* Update path in README
* Possibility to validate the testsuite agains software tokens
* Add possibility to select slot ID on command-line (when there are more cards present)
* Clean up readme to reflect current options and TODOs
* Do not attempt to use keys without advertised sign&verify bits to avoid false positives
* Get and present more object attributes in readonly test; refactor table
* New test checking if the set of attributes (usage flags) is reasonable
* Test multipart signatures. There is not reasonable mechanism supporting multipart encryption
* Use PKCS#11 encryption if possible (with openssl fallback)
* Identify few more mechanisms (PSS) in the lest
* Resize table to fit new mechanisms
* Remove initial loop declaration from multipart test
* Use pkcs11-tool instead of p11tool form most of the operations (master have most of the features)
* Preparation for machine readable results
* Refactor log variables out of the main context, try to export generic data
* Do not write to non-existing FD if not logging
* Export missing data into the log file in JSON
* Store database in json
* Sanity check
* Avoid uninitialized structure fields using in state structure
* Dump always_authenticate attribute too
* Manual selection of slots with possibility to use slots without tokens
* Do not free before finalizing
* Proper cleanup of message in all cases
* Proper allocation and deallocation of messages
* Sanitize missing cases (memory leaks)
* Suppressions for testing under valgrind
* Better handling message_lengt during sign&verify (avoid invalid access)
* Suppress another PCSC error
* Do not use default PIN. Fail if none specified
* Sanitize initialization. Skip incomplete key pairs
* Add missing newline in errors
* Fix condition for certificate search
* Avoid several calls for attributes of zero length
* Handle if the private key is not present on the card
* Improve memory handling, silent GCC warning of 'unused' variable
* Fail early with missing private key, cleanup the messages
* Use correct padding for encryption
* Cache if the card supports Verify/Encrypt and avoid trying over and over again
* Loosen the condition for the Usage flags
* OpenSSL 1.1.0 compatibility
* Add missing mechanisms
* Do not require certificates on the card and pass valid data for RSA_PKCS mechanisms
* Add missing PIN argument in runtest.sh
* Add OpenSSL < 1.1 comatible bits
* Add SHA2 ECDSA mechanisms handling
* Use public key from PKCS#11 if the certificate is missing (or compare it with certificate)
* Avoid long definitions in OpenSSL compat layer
* In older OpenSSL, the header file is ecdsa.h
* Add missing config.h to apply compat OpenSSL layer
* ASN1_STRING_get0_data() is also new in 1.1.0
* Return back RSA_X_509 mechanism
* Drop bogus CKM_* in the definitions
* Drop CKM_SHA224_RSA_PKCS as it is already in pkcs11.h
* Update documentation
* Use NDEBUG as intended
* typos, cleanup
* Typos, cleanup, update copyright
* Additional check for OpenCryptoki, generate more key types on soft tokens
* Prepare for RSA-PSS and RSA-OAEP
* Use usage&result flags for the tests, gracefully ignore PSS&OAEP
* pkcs11.h: Add missing definitions for PSS
* PSS and OAEP tests
readonly: Typos, reformat
* Working version, memory leak
* Tweak message lengths for OAEP and PSS
* Skip tests that are not aplicable for tokens
* configure.ac: New switch --enable-tests
Do not attempt to build tests if cmocka is not available or
--enable-tests is provided. It makes also more lightweight release
builds out of the box (or with --disable-tests).
* travis: Install cmocka if not available
* Do not build tests on Windows and make dist pass
* Try to install cmocka from apt and from brew
* Do not require sudo (cmocka from apt and brew works)
When loaded as PKCS#11 module, OpenSC will reuse the application
identifier for each instance. We don't want to put any burdon on the
primary GApplication, so we use a non unique ID.
fixes https://github.com/OpenSC/OpenSC/issues/1332
Explicitly mention that this script builds the tokend and command
line tools (as it does not build the CryptoTokenKit app extension).
Add two missing packages in the list of build dependencies.
OpenSCToken (https://github.com/frankmorgner/OpenSCToken) is now a
standalone package that provides the CryptoTokenKit app extension.
It includes its own 'build-package' script, which handles building
the OpenSC library and statically linking against it.
The 'MacOSX/' directory in OpenSC itself is only used to build the
macOS tokend. Remove unused code for building a CryptoTokenKit app
extension from this directory (which no longer works). This should
help to avoid confusion when building OpenSC for macOS.
The PKCS#15 emulation layer for the CAC uses a single PIN. Set its
label to "PIN" (rather than the card type "CAC I" or "CAC II"), so
that the PIN label will be omitted from the token label, providing
more space for the card holder name instead.
This is intended to match the behavior used for PIV cards, which
was changed with commit 56c8f59b25.
During a pull request, it might not be possible for all components
(such as the PKCS#11 module, Windows minidriver, or macOS tokend)
to be tested by the same person using the same card; not everyone
has access to all of the platforms supported by OpenSC. When there
are no card-specific changes, each component might be tested by a
different person using a different type of card.
The pull request template contains a checklist with each component
that needs to be tested (which can be adapted as needed). However,
this checklist also includes an item for the type of card used for
testing. This should certainly be included in the message, but it
doesn't quite seem to belong in the checklist as a separate item,
particularly when considering the multiple-card testing situation
described above. It seems that the checklist is intended to track
specific tasks that still need to be completed.
This change slightly adjusts the template in order to handle this.
(It is still just a template, and it can be adapted for each pull
request as needed.)
* Handle errors as intended in sc_pkcs15emu_openpgp_add_data()
If a data object can be read, but it cannot be added to the PKCS#15
framework, return from this function with an error; do not continue
reading other data objects. Otherwise, do not return an error from
this function when a data object cannot be read or is empty.
Improve existing comments for clarity.
* Address other compiler warnings when using --disable-optimization
Certain variables that are not initialized when they are declared
prevent the build from completing, when --disable-optimization is
passed to ./configure.
1. In epass2003_set_security_env, remove unused code, add condition
check of ec and rsa
2. Line 1709 - add return check of hash_data
3. In epass2003_decipher API, the old sign using apdu.le = 256, now add
condition check of rsa
4. Line 2731-2734 - After login successful, need get session status,
adjust code, improve condition check of data->cmd.
Remove all the code related to the old GUI and PIN PAD.
This code was initially developed by Zetes and had the ability to
display a dialog to request the PIN to the user. It was also able to
manage some specific proprietary pin pads.
As the Belgian government/fedict has now its own implementation, all
these old crufts can be removed.
https://github.com/OpenSC/OpenSC/issues/1296
Some ActivIdentity CAC/PIV cards lose the login state when selecting
the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added
so piv_card_reader_lock_obtained will try and do a SELECT PIV AID.
card->type is reset to its original value if piv_match_card_continued
fails to match a card as PIV.
pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL.
closes https://github.com/OpenSC/OpenSC/pull/1307
fixes https://github.com/OpenSC/OpenSC/issues/1297
We can't check for `tag == SC_ASN1_TAG_EOC` directly, because this
would also be true for a tag of 0x80 (with `class ==
SC_ASN1_CLASS_CONSTRUCTED`). So what we do is we check for the output
buffer to be NULL!
fixes https://github.com/OpenSC/OpenSC/issues/1273
Jakub Jelen
Frank Morgner
David Ward
Peter Marschall
Feitian Technologies
Laurent Bigonville
Doug Engert
Jakub Jelen
Mouse
sergioag
AnthonyA